CodeQL documentation

Header checking disabled

ID: cs/web/disabled-header-checking
Kind: problem
Severity: warning
Precision: high
   - security
   - external/cwe/cwe-113
Query suites:
   - csharp-code-scanning.qls
   - csharp-security-extended.qls
   - csharp-security-and-quality.qls

Click to see the query in the CodeQL repository

This rule finds places in the code where header checking is disabled. When header checking is enabled, which is the default, the \r or \n characters found in a response header are encoded to %0d and %0a. This defeats header-injection attacks by making the injected material part of the same header line. If you disable header checking, you open potential attack vectors against your client code.


Do not disable header checking.